Installers typically include payloads of files that are unpacked onto a local computer for installation. Installers can be checked for compliance with a security policy, e.g., a security policy of an enterprise that includes the local computer receiving the payload, often by tracking the behavior of the installer through files that are accessed, opened, and produced at runtime. An application control (AC) solution may be configured to detect when an executable or other file is being opened by the installer, and to allow or block the action of opening or running that file to comply with a security policy. However, at the point when the file is being accessed, the AC solution may not necessarily know contextual information regarding the file, e.g., why the file is present and why the file is being accessed. Because of this lack of contextual knowledge, the quality of a run/block decision by the AC solution may be compromised, leading to false positive or false negative decisions. There is a need for improved techniques for evaluating installers and installer payloads.